Publishers of technology books, eBooks, and videos for creative people
A Joomla! web site is no more or less secure than any other CMS or custom developed web site. All web sites are vulnerable to malicious attacks, hackers, and spammers if you don't take the necessary steps to protect them. Securing a Joomla web site is as important as it is simple, just follow the checklist outlined in this article.
The first line of defense in protecting your web site is to understand Joomla's server requirements. Don't immediately select the lowest priced hosting provider or hosting that promises “unlimited” bandwidth or space. Do your research and find a reliable, Joomla-friendly hosting company.
Verify your web server meets the following recommended requirements:
As soon as you upload Joomla to your web server, it is ready to start the Joomla installation wizard. Anyone browsing to your site will see the installation wizard until you have completed the full installation process.
The FTP layer allows Joomla to read, write, and execute scripts from poorly designed 3rd-party extensions or if your web server is configured incorrectly. You should never have this enabled on a live site.
In Joomla 1.5 you can change the default prefix of jos_ during installation. For Joomla 1.7 and above a random prefix is automatically generated for you (Figure 1).
During installation the first Super User (Admin) account is created. In Joomla 1.5 the user name defaults to admin. In Joomla 1.7 you can create your own user name, however, the “real name” associated with both versions of the Super User account is always Super User or Super Admin. Additionally, the Super User account is assigned a specific ID number by the system. In Joomla 1.5 the ID number is 62 or 63. In Joomla 1.7 and higher the ID number is 43 (Figure 2).
This information is common knowledge however by changing the following you protect unwanted access to your Super User account(s).
To change the Super User ID number, simply create a new User through the User Manager and then delete the original Super User account. You will need to log out and then log back in with the new account before you can delete the first Super User account. A secure Super User account contains your real name and a new ID number that differs from the default assigned by Joomla (Figure 3).
On a live web site your Joomla directories should be set to 755 and files should be 644. This allows Joomla, with the proper permissions, to Read, Write, and Execute files correctly. If an extension you use will not work or install properly, or asks you to CHMOD your file permissions to 777 in order to function, either your web server is configured improperly for Joomla privileges or it is a bad extension and you should not use it. Having directories and files with 777 privileges is a huge security risk!
Everyday hackers create new ways to attack sites. Developers and testers watch for vulnerabilities and new attack scripts. Keeping Joomla up-to-date keeps Joomla secure. The same goes with any 3rd-party extensions you are using.
Most patch releases and updates contain security and bug fixes. Just like using the most currently supported PHP and MySQL versions, you need to keep Joomla and each of your Joomla extensions current.
For Joomla 1.5 you will need to perform updates on your web server or through an FTP program. For Joomla 1.7 and higher, updates are now handled with a single click through the Extension Manager.
Social interaction, allowing user registration, interaction through blog or article comments, and newsletter subscriptions are common place on today’s web sites. Along with allowing user interaction on your site comes spam scripts just waiting to exploit your content. To protect your site from these exploits you need to lock down and ensure that real people are registering and using your site.
Joomla does not currently have a built in mechanism to protect you from content spammers, so you should look into installing 3rd-party extensions such as ReCaptcha or Akismet. These extensions require input from a real person and help to keep spam scripts from creating dozens of user registrations on your site.
If you use a 3rd-party social extensions such as Community Builder or JomSocial, these extensions have user registration protection built in.
Although not as big a security risk as the other items I have listed here, it is important that you keep your Joomla cache, temp directory, and database tables cleaned up. It is not uncommon to try out a few different templates or 3rd-party extensions that you may later decide not to use. If you uninstall these extensions, not all of them remove the database tables left behind. To keep your Joomla site optimized and running clean:
Note: I uninstall all Site templates except the one I am using and the Beez20 default template. Keeping the Beez20 default template helps you to troubleshoot Joomla template issues. Should you be faced with a white screen, you can change back to the default Site template to see if your problem is a template error.
The most important thing you can do is schedule regular backups of your Joomla site. Sign-up for backups with your hosting provider and perform physical backups yourself. Then keep a copy of your most recent site backup on your local computer. Should anything go wrong with your Joomla site you can immediately revert to a backup.
Following these simple steps will keep your Joomla site secure and protected. To make it even easier to perform the tasks mentioned in this article, I highly recommend you download the Admin Tools and Akeeba Backup extensions from Akeeba. These two free extensions contain all you need to secure and maintain your Joomla site. For more information or to download the Akeeba extensions, visit www.akeebabackup.com.